On May 20, 2024, a proposal for a law on artificial intelligence (“AI”) was laid before the Italian Senate.

The proposed law sets out (1) general principles for the development and use of AI systems and models; (2) sectorial provisions, particularly in the healthcare sector and for scientific research for healthcare; (3) rules on the national strategy on AI and governance, including designating the national competent authorities in accordance with the EU AI Act; and (4) amendments to copyright law. 

We provide below an overview of the proposal’s key provisions.

Objectives and General Principles

The proposed law aims to promote a “fair, transparent and responsible” use of AI, following a human-centered approach, and to monitor potential economic and social risks, as well as risks to fundamental rights.  The law will sit alongside and complement the EU AI Act (for more information on the EU AI Act, see our blogpost here).  (Article 1)

The proposed law sets out general principles, based on the principles developed by the Commission’s High-level expert group on artificial intelligence, pursuing three broad objectives:

  1. Fair algorithmic processing. Research, testing, development, implementation and application of AI systems must respect individuals’ fundamental rights and freedoms, and the principles of transparency, proportionality, security, protection of personal data and confidentiality, accuracy, non-discrimination, gender equality and inclusion.
  2. Protection of data. The development of AI systems and models must be based on data and processes that are proportionate to the sectors in which they’re intended to be used, and ensure that data is accurate, reliable, secure, qualitative, appropriate and transparent.  Cybersecurity throughout the systems’ lifecycle must be ensured and specific security measures adopted.
  3. Digital sustainability. The development and implementation of AI systems and models must ensure human autonomy and decision-making, prevention of harm, transparency and explainability.  (Article 3)

Definitions

The definitions relied upon by the proposed law, such as “AI system” and “[general-purpose] AI model” are the same as those of the EU AI Act, while the definition of the term “data” is based on the Data Governance Act.  (Article 2)

Processing of Personal Data Related to the Use of AI Systems

Information and disclosures relating to the processing of data must be drafted in clear and plain language, to ensure full transparency and the ability to object to unfair processing activities.

Minors of 14+ years of age can provide their consent to the processing of personal data related to the use of AI systems, provided that the relevant information and disclosures are easily accessible and comprehensible.  Access to AI by minors below the age of 14 requires parental consent.  (Article 4)

Use of AI in the Healthcare Sector

As a general objective, the proposed law sets out that AI systems should contribute to the improvement of the healthcare system, prevention and treatment of diseases, while respecting the rights, freedoms and interests of individuals, including their data protection rights. 

The use of AI systems in the healthcare system must not select, nor influence, access to medical services on a discriminatory basis.  Individuals have a right to be informed about the use of AI and its advantages relating to diagnosis and therapy, and to obtain information about the logic involved in decision-making.

Such AI systems are intended to support processes of prevention, diagnosis, treatment and therapeutic choice.  Decision-making must remain within the healthcare professional’s purview.  (Article 7)

Scientific Research to Develop AI Systems for the Healthcare Sector

The proposed law aims to simplify data protection-related obligations for scientific research carried out by public and private not-for-profit entities, for processing of personal data, including health data, for scientific research purposes to develop AI systems for the prevention, diagnosis and treatment of diseases, development of medicines, therapies and rehabilitation technologies, and manufacturing of medical devices.  (Article 7)

In particular, the proposed law:

  • Lifts the requirement to obtain the data subject’s consent, by identifying the purposes mentioned above as “substantial public interests”, in accordance with Article 9(2)(g) of GDPR.  This does not apply to business and for-profit activities.
  • Authorizes secondary use of personal data, including special categories of data, stripped of direct identifiers, for processing for the mentioned “substantial public interests”.  As a result, a new consent is no longer required if the research changes.

In such cases, the following requirements apply:

  • Transparency and information obligations towards data subjects may be met in a simplified form, for instance, by publishing a privacy notice on the data controller’s website.
  • The processing activities must be (1) approved by the competent ethics committee, and (2) communicated to the Italian data protection authority (“Garante”); and (3) certain information must be shared with the Garante, including a data protection impact assessment, and any processors indicated.  Processing may start 30 days after such communication, if the Garante does not issue a blocking measure.  (Article 8)

These provisions align with a recent amendment of the Italian Privacy Code concerning processing for medical research purposes (see our blogpost here).

Other Sectorial Provisions

The use of AI systems in the employment context must be safe, reliable, transparent, and must respect human dignity and the protection of personal data.  The employer must inform the worker of the use of any AI, together with other information to be provided before the employment commences.  (Article 10)

In the context of regulated professions, AI may only be used for supporting tasks.  To preserve the fiduciary relationship with the client, information about any AI systems used by the practitioner must be communicated in a clear, plain and comprehensive manner.  (Article 12)

National Strategy on AI

The proposed law introduces a national strategy on AI, to be updated every two years, intended to frame a public-private partnership, coordinate the activities of public bodies, and set measures and economic incentives to promote business and industrial development in the field of AI.  (Article 17)

Governance

The proposed law designates two competent national authorities for AI, as required by the EU AI Act, with competence to apply and enforce national and EU law on AI, as follows:

  • Agenzia per l’Italia digitale (“AgID”, the agency for “digital Italy”).  AgID will be responsible for (1) promoting innovation and development of AI, and (2) setting procedures and exercising functions relating to the notification, evaluation, accreditation and monitoring of the notified bodies tasked with conducting conformity assessments of AI systems pursuant to the EU AI Act.
  • Agenzia per la cybersicurezza nazionale (“ACN”, the agency for national cybersecurity).  ACN will be (1) entrusted with monitoring, inspection and enforcement powers over AI systems, in accordance with the rules of the EU AI Act, and (2) responsible to promote and develop AI from a cybersecurity perspective.

The Garante, although not designated as a competent authority for AI, maintains its competence and powers in relation to the processing of personal data.  (Article 18)

The Italian Government is also delegated to adopt, within 12 months from the entry into force of the law, the legislation needed to align national law to the EU AI Act.  (Article 22)

Labelling of AI-generated News and Information

The proposed law establishes a requirement to label any news or informational content that is entirely generated by AI, or also partially modified or altered by AI, in such a way that it appears to present fictional data, facts and information as real, with an “AI” mark, label or announcement.  (Article 23)

Copyright Protection and AI-generated Works

The proposed law introduces certain amendments to copyright law.  In particular, with regards to AI-generated works, it clarifies that only works of the human intellect are protected by copyright, including where the work was created with the support of AI tools, to the extent it is the result of the author’s intellectual endeavor.  (Article 24)

Criminal Provisions

Among other things, the proposed law establishes a new offence targeting the unauthorized dissemination of images, video or audio falsified or altered by AI, when it is capable of misleading with regards to its authenticity.  The new offence carries a sanction of 1-3 years of imprisonment.  (Article 25)

Next Steps

As part of the legislative process, the proposed law will need to be reviewed, discussed and approved by the Senate, and will then be passed on to the Chamber of Deputies, which must approve the same text.  Once formally approved, the law will enter into force on the 15th day after its publication in the Italian Official Journal.

***

Covington’s Data Privacy and Cybersecurity Team continues to monitor developments on AI, and regularly advises clients on their most challenging regulatory and compliance issues in the EU and other major markets.  If you have questions about the proposed Italian law on AI or the EU AI Act, we are happy to assist with any queries.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Laura Somaini Laura Somaini

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules…

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules as well as data protection contracts and policies.